Measuring the ROI of GRC. Part 1: “Your Mileage May Vary”

When looking at the return on investment (ROI), “it’s not about getting the highest number—it’s what is most defensible,” said Hyoun Park, Principal Analyst at Nucleus Research. Park was speaking on March 28, 2013 to a webinar audience on the topic of how to quantitatively measure the ROI on governance, risk assessment, and compliance (GRC).

The two-speaker panel, convened by the Global Association of Risk Professionals (GARP), based their remarks on a study released in October 2012 by Nucleus Research (cover shown here). The report states “this research was conducted in context of the usage of IBM OpenPages, a software solution used to centralize the management and identification of enterprise GRC initiatives such as operational risk, financial risk, and IT governance throughout a distributed enterprise environment.”

Park laid out the approach used by Nucleus Research in over 400 case studies when determining the ROI that arises from measuring the impact of changing the GRC solution. First, he underscored that any measurement of the ROI “must be based on your organization’s starting point,” not on comparison with other companies.

For measuring change, there are five factors that drive value, Park said: breadth, repeatability, risk, collaboration, and knowledge. Of these, breadth (“how many people will use it?”) and repeatability (“how often will they use it?”) carry the most weight.

The one-time costs when implementing a GRC solution are: software, hardware, training, personnel, and consultancy. These are straightforward; however, assessing benefits requires some skill. “Less is more,” said Park. “If you can’t entice the CFO with two benefits you’ve already lost.” The benefits range from direct savings (“reduction in cost”), which is most believable, to very indirect savings (such as “increased manager productivity”).

Park emphasized that time saved is not exactly equal to time worked. The engagement to the work may differ, after the work is changed. This was the background to explaining the “productivity correction factor” used by Nucleus Research when they were examining the changes brought about by companies implementing OpenPages.

As for measuring the ROI of using OpenPages to co-ordinate a company’s GRC, Park covered seven key value propositions. He described in detail how the estimated cost savings figure is arrived at by his firm.

Risk assessment and auditing – Nucleus Research measured how many people were doing how many assessments, and how much overlap there was in the separate assessments. Multiply by the salary and the productivity correction factor.

Policy management – How many people worked on policy management who could be replaced by automation? Multiply by the productivity correction factor.

Control optimization – How many controls are tested, and how many hours does it take to run a test? Estimate the fraction that are redundant, and multiply by the PCF.

Issue remediation – The savings from issue remediation come about through eliminating duplication of resolving issues, as well as decreasing the time spent figuring out the remedy.

Operational and executive reporting – As one client said, ““Risk assessment reports previously took multiple days to create as a manual report. We had to submit our risk requests to a single employee who might not be seeing every request.” With the striking the visuals created through IBM Cognos and OpenPages, there is little need for such extensive labour.

Infrastructure savings – Again, to quote a client, “We were able to shut down between 60 and 100 separate application instances that were previously tracking risk functions, risk management, and information.”

Sarbanes-Oxley compliance – This value proposition refers to the write-off and the reputational risk of failing to meet compliance.

In response to a question from the audience, Park said that a “non-subjective” template for cost-benefit assessment was available from Nucleus Research.

For some “typical” values, Park showed how the sum of the preceding seven value propositions could lead to 200 percent ROI. But, he cautioned that those who push for an all-encompassing solution for GRC should use conservative estimates to avoid overstating their case. After all, he said, “your mileage may vary.” ª